ID Number: G00209052



Determining Criteria for Cloud Security Assessment: It's More than a Checklist
17 March 2011
 
Dan Blum  

Customers require standard cloud security assessment criteria. However, one-size-fits-all checklists won't meet the need for effective, affordable, and flexible assessment criteria. This document will provide guidance on emerging industry assessment and audit frameworks for public cloud computing.





*
Unavailable for individual purchase
For information on how to gain access to this and other documents,
click here.













Contact Gartner




For information on how to gain access to this and other documents, click here.
 You or your organization may already own this document. Register now to find out. Your Gartner Membership Administrator can supply the needed License Key(s).
You will not lose your document during registration.
Sign in here:
Username:

Password:
Forgot your username
or password?







This document is not available as part of your current Gartner subscription. For pricing and availability of the full document, please contact your Gartner account representative. Your account representative can also give you more information about your current subscription and other access options that may be available to you. If you do not have a Gartner account representative, call +1 203 316 1200 for assistance.

Table of Contents

Contents
  • Summary of Findings
  • Guidance Context
    • Problem Statement
    • Guidance Applicability
    • Related Guidance
  • The Gartner Approach
  • The Guidance Framework
    • Understand Business and Security Context of Cloud Use
      • What's the Same
      • What's Different
      • Implications
    • Model and Assess Risk of Cloud Use
      • Identify Inherent Risks or Potential Consequences of Use
      • Determine Residual Risk After Applying Compensating Controls
      • Determine CSP Trust Requirements
      • Develop Approved Patterns for Public Cloud Use
    • Select Assessment Criteria
      • Refine the Security Requirements for the Use Case
      • Study the Cloud Control Standards Landscape
      • Map Use Cases to Assessment Criteria
    • Perform Assessments and Continuous Monitoring
      • Leverage Third-Party Assessments
      • Conduct the Organization's Own Assessments
      • Perform Continuous Monitoring for Medium- or High-Trust CSPs
    • Revisit and Update Approach
  • Risks and Pitfalls
  • Conclusion
  • Recommended Reading
Tables
Table 1.
Examples of Potential Hosted E-Mail Consequences
Table 2.
Confidentiality- and Integrity-Sensitive SaaS (Uncompensated)
Table 3.
Confidentiality-Sensitive SaaS (Compensated)
Table 4.
Confidentiality- and Integrity-Sensitive IaaS or PaaS (Compensated)
Table 5.
Availability-Sensitive CSP (Compensated)
Figures
Figure 1.
Cloud Security Assessment Guidance Framework
Figure 2.
CSP Assessment Criteria in the Overall Cloud Security Strategy
Figure 3.
Conceptual Framework for Assessing CSP Risk
Figure 4.
Low Consequence, Low-Trust Requirement, and Low Residual Risk
Figure 5.
Medium Consequence, Compensating Controls, and Trust Required to Reach Acceptable Residual Risk
Figure 6.
Push Down Trust Requirements: A Confidentiality Scenario
Figure 7.
Push Down Trust Requirements: An Availability Scenario
Figure 8.
A Pyramid Concept for CSP Vendor Management




© 2011 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.




Resource Id: 1595116